HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

USB Worm Spreads Crypto‑Stealing Malware via Windows Shortcut Files on Removable Drives

A malicious LNK‑based worm on USB drives installs clipboard‑stealing malware that harvests cryptocurrency seed phrases, private keys and wallet addresses, exfiltrating the data over Tor. The campaign highlights gaps in device‑control and user‑awareness policies that SOC 2 compliance programs must address.

LiveThreat™ Intelligence · 📅 June 18, 2026· 📰 bleepingcomputer.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
4 recommended
📰
Source
bleepingcomputer.com

USB Worm Spreads Crypto‑Stealing Malware via Windows Shortcut Files on Removable Drives

What Happened — Threat actors are distributing a Windows shortcut (LNK)‑based worm on USB drives. When a user opens the shortcut, the malware installs clipboard‑stealing components that monitor for cryptocurrency seed phrases, private keys and wallet addresses, exfiltrating the data over Tor. The worm also self‑propagates to other USB devices and creates malicious shortcuts that replace legitimate documents.

Why It Matters for Compliance & Audit Readiness

  • Demonstrates a failure of logical‑access and device‑control policies that SOC 2 CC6.1 (Logical Access) and CC6.2 (Physical & Environmental Controls) are designed to mitigate.
  • Continuous monitoring of process activity (e.g., wscript.exe, curl, PowerShell) provides the audit evidence needed to prove that access‑control safeguards are operating effectively.
  • Security‑awareness training and documented user‑device handling procedures are required controls under SOC 2 CC1.1 (Control Environment) to reduce reliance on user behavior.

Who Is Affected — Financial services, cryptocurrency exchanges, fintech firms, and any organization that permits USB device usage on employee workstations.

Recommended Actions

  • Map the incident to SOC 2 CC6.1/CC6.2 controls, update device‑control policies, and enforce “disable autorun” and “USB‑only on managed endpoints” rules.
  • Deploy continuous process‑monitoring (EDR) to capture anomalous launches of wscript.exe, cscript.exe, curl, PowerShell, and cmd.exe; retain logs as audit evidence.
  • Conduct targeted security‑awareness training on the risks of opening unknown shortcut files and removable media.
  • Validate that Tor‑proxy traffic is blocked or monitored per your network‑segmentation policy. Source: BleepingComputer

Technical Notes

  • Attack vector: malicious .LNK shortcut files on USB drives.
  • Payloads delivered via a hidden .ONION address; communication routed through Tor (ugate.exe).
  • Capabilities: clipboard monitoring for BIP‑39 seed phrases, Ethereum/Bitcoin keys, wallet addresses; screenshot capture; optional remote code execution via downloaded JavaScript.
  • Indicators of compromise: unexpected wscript.exe/cscript.exe processes, curl executions, PowerShell or cmd.exe launches, and connections to localhost:9050 (Tor proxy). Source: BleepingComputer
📰 Original Source
https://www.bleepingcomputer.com/news/security/usb-worm-spreads-crypto-stealing-malware-via-windows-shortcut-files/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Could you prove your access controls held up here?

Credential and access failures map directly to SOC 2 access-control criteria. The Verisq AI Trust Operations platform shows where your evidence is thin before an auditor — or an attacker — finds out.

Explore the Verisq AI Trust Operations platform →